{"id":"CVE-2019-6802","details":"CRLF Injection in pypiserver 1.2.5 and below allows attackers to set arbitrary HTTP headers and possibly conduct XSS attacks via a %0d%0a in a URI.","aliases":["GHSA-mh24-7wvg-v88g","PYSEC-2019-113"],"modified":"2026-03-14T09:37:29.983575Z","published":"2019-01-25T04:29:00.240Z","references":[{"type":"EVIDENCE","url":"https://github.com/pypiserver/pypiserver/issues/237"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/pypiserver/pypiserver","events":[{"introduced":"0"},{"last_affected":"4ab0c77e301576320bf476af2f03918322041bcd"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.2.5"}]}}],"versions":["0.1.0","0.1.1","0.1.2","0.1.3","0.2.0","0.3.0","0.4.0","0.4.1","0.5.0","0.5.1","0.5.2","0.6.0","0.6.1","1.0.0","1.0.1","1.1.0","1.1.1","1.1.10.dev1","1.1.2","1.1.3","1.1.4","1.1.5","1.1.6","1.1.7","1.1.7-beta.0","1.1.7-rc.1","1.1.8","v1.1.10","v1.1.8-beta.0","v1.1.8-beta.1","v1.1.9","v1.1.9-dev.0","v1.1.9-dev.1","v1.1.9-dev.2","v1.1.9.dev3","v1.1.9.dev4","v1.2.0","v1.2.0.dev1","v1.2.0b2","v1.2.1","v1.2.1dev0","v1.2.2","v1.2.2.dev0","v1.2.3","v1.2.4","v1.2.5"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-6802.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}